[OpenAFS] OpenAFS krb5 auth problems

Jeffrey Altman jaltman@secure-endpoints.com
Sat, 19 Feb 2011 20:10:49 -0500


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig73DA7522CE22CBD6D001BF81
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

MYKDOM.COM !=3D gns.etc.test.mykdom.com

Do you have an afs krb.conf file that specifies that MYKDOM.COM is a
local realm for gns.etc.test.mykdom.com?   If not, gaspac@MYKDOM.COM is
a foreign principal to the cell.


On 2/19/2011 6:15 PM, Carson Gaspar wrote:
> I'm having issues setting up a new cell with krb5 auth - openafs 1.4.14=
,
> RHEL6. I have a nasty suspicion that all of this is being caused by an
> AFS keytab with the wrong salt, but as I'm not the one generating the
> keytab, I can't prove it. Below is all the debugging info I think might=

> be useful, lightly redacted and the domain names changed to protect me
> ;-). Is this consistent with a salt problem, or is there something else=

> I've done wrong? Any help would be appreciated, and I'm happy to provid=
e
> more debugging info if what I have below isn't sufficient.
>=20
> gaspac:gns-afs-2 0 $ klist -dfane
> Ticket cache: FILE:/tmp/krb5cc_7508
> Default principal: gaspac@MYKDOM.COM
>=20
> Valid starting     Expires            Service principal
> 02/19/11 18:03:00  02/20/11 18:03:00  krbtgt/MYKDOM.COM@MYKDOM.COM
>         renew until 02/26/11 18:02:57, Flags: FRIA
>         Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
> CRC-32
>         Addresses: (none)
>=20
> gaspac:gns-afs-2 0 $ aklog -d
> Authenticating to cell gns.etc.test.mykdom.com (server
> gns-afs-2.etc.test.mykdom.com).
> Trying to authenticate to user's realm MYKDOM.COM.
> Getting tickets: afs/gns.etc.test.mykdom.com@MYKDOM.COM
> Using Kerberos V5 ticket natively
> About to resolve name gaspac to id in cell gns.etc.test.mykdom.com.
> Id 4
> Set username to AFS ID 4
> Setting tokens. AFS ID 4 /  @ MYKDOM.COM
>=20
> gaspac:gns-afs-2 0 $ tokens
>=20
> Tokens held by the Cache Manager:
>=20
> User's (AFS ID 4) tokens for afs@gns.etc.test.mykdom.com [Expires Feb 2=
0
> 18:03]
>    --End of list-=E2=80=94
>=20
> gaspac:gns-afs-2 0 $ pts examine gaspac
> pts: Permission denied ; unable to find entry for (id: 4)
>=20
> root:gns-afs-2 0 # asetkey list
> kvno    3: key is: [REDACTED - matches klist]
> All done.
>=20
> root:gns-afs-2 1 # klist -kteK /usr/afs/etc/afs.keytab
> Keytab name: WRFILE:/usr/afs/etc/afs.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    3 02/13/11 22:01:26 afs/gns.etc.test.mykdom.com@MYKDOM.COM (DES cbc
> mode with CRC-32)  ([REDACTED - matches asetkey])
>=20
> root:gns-afs-2 0 # kinit -kt /usr/afs/etc/afs.keytab
> afs/gns.etc.test.mykdom.com@MYKDOM.COM
>=20
> root:gns-afs-2 1 # klist -dfane
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: afs/gns.etc.test.mykdom.com@MYKDOM.COM
>=20
> Valid starting     Expires            Service principal
> 02/19/11 17:54:35  02/20/11 17:54:35  krbtgt/MYKDOM.COM@MYKDOM.COM
>         renew until 02/26/11 17:54:35, Flags: FRI
>         Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
> CRC-32
>         Addresses: (none)
>=20
> root:gns-afs-2 0 # aklog -d
> Authenticating to cell gns.etc.test.mykdom.com (server
> gns-afs-2.etc.test.mykdom.com).
> Trying to authenticate to user's realm MYKDOM.COM.
> Getting tickets: afs/gns.etc.test.mykdom.com@MYKDOM.COM
> Using Kerberos V5 ticket natively
> About to resolve name afs.gns.etc.test.mykdom.com to id in cell
> gns.etc.test.mykdom.com.
> Id 3
> Set username to AFS ID 3
> Setting tokens. AFS ID 3 /  @ MYKDOM.COM
>=20
> root:gns-afs-2 0 # pts examine gaspac
> pts: Permission denied ; unable to find entry for (id: 4)
>=20
> Sat Feb 19 17:56:18 ~
> root:gns-afs-2 1 # pts examine gaspac -localauth
> Name: gaspac, id: 4, owner: system:administrators, creator:
> system:administrators,
>   membership: 1, flags: S-M--, group quota: unlimited.
>=20
> Sat Feb 19 17:56:22 ~
> root:gns-afs-2 0 # pts examine afs.gns.etc.test.mykdom.com -localauth
> Name: afs.gns.etc.test.mykdom.com, id: 3, owner: system:administrators,=

> creator: system:administrators,
>   membership: 1, flags: S----, group quota: unlimited.
>=20
> root:gns-afs-2 0 # cat /usr/afs/etc/UserList
> admin
> afs.gns.etc.test.mykdom.com
> gaspac
>=20
>=20
>=20
>=20
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>=20


--------------enig73DA7522CE22CBD6D001BF81
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJNYGobAAoJENxm1CNJffh43JQH/Ap2NOeYbOWAqrlMBJqsJnR+
yeN7VxMi6MuvcoC02hKBWEsk4MJxAEMJksjsLFqijCYGgyW5UipsPq4/Tm5KHkwW
mI0RL4pVllcoMvq+r1kr0U7hoOVa8P/BRn+gXghY1fRmYOvPMLUQg0Wg8Y9Gd2Bs
13O20aPrQv+JFkbkw9TMG524EoDmQtkcBp1svahR4l6jjkCmbe0MXbDd8yd7yBpT
VAS3H8awAKeKMRUY9BMbyEwTkoIYFPip8I27/9FVhrR4Wt3Cj9fC9UAcZm5JjKG2
V66oNq3Km+22MXKc/vDWjdo5gcjn8itXb0f4e/qpNt/ci5zLdKUKWSI7QqnOSys=
=WPBs
-----END PGP SIGNATURE-----

--------------enig73DA7522CE22CBD6D001BF81--